In typical cloud service provider environments, virtual network function providers and cloud customers that use standard cloud operating system (OS) installation offerings can use disk encryption in their operating system images. However, OS disk encryption capabilities that are provisioned and used on general purpose servers today still use methods that result in the bulk encryption master key being first derived and then extracted in the clear to random access memory to be used directly in software or hardware assisted cipher application programming interfaces (APIs). In multi-cloud environments (i.e., multiple cloud computing and storage services in a single heterogeneous architecture), customers and content service providers (collectively referred to as tenants) do not want to share or see any sensitive data, including encryption keys, of another tenant. Moreover, side-channel attacks may be executed on certain processor architectures to view otherwise inaccessible data in random access memory. Furthermore, existing solutions may be at risk to another attack vector whereby a rogue system administrator with elevated privileges may acquire keying material for storage media. Additionally, European Telecommunications Standards Institute (ETSI) network function virtualization (NFV) architecture specifications require virtual network functions images to be delivered by vendors and stored in repositories that are accessible to multiple entities, thereby raising the possibility that the images could be stolen, reverse engineered, manipulated to introduce malware code injection, and/or deployed on unauthorized systems.